ID: 41899
User updated by: geoffwa at cs dot rmit dot edu dot au
Reported By: geoffwa at cs dot rmit dot edu dot au
Status: Assigned
Bug Type: Streams related
Operating System: Solaris 10
PHP Version: 5.2.3
Assigned To: tony2001
New Comment:
I'll stress again that while the patch may work, I'm not sure if it's
'correct' or not, mainly because I have no idaa what php_checkuid_ex()
is supposed to return, safe_mode-isms like open_basedir may need it.
I just traced the execution of the offending PHP script repeatedly for
the failure case, and deduced that the expand_filepath() call in
php_checkuid_ex() that I've removed in the patch was returning an empty
path under similar conditions to where a getcwd() call would fail.
The actual path blatting appeared to occur in virtual_file_ex(), and we
produced a separate patch which completely short-circuited this function
and also made the all test conditions work.
Given that PHP6 is removing safe_mode completely, I imagine this
problem will hopefully be fixed then :)
Previous Comments:
------------------------------------------------------------------------
[2007-09-12 11:53:14] ian at onlineloop dot com
I've tried the patch offered by Geoff. It seems to work just fine for
us too in the cvs version from today (php5.2-200709121030).
------------------------------------------------------------------------
[2007-09-12 10:38:34] ian at onlineloop dot com
Verified that this is still not working in 5.2.4.
We made a system available on a Sun E3500, partially for the purposes
of fixing this bug. The last login from anyone from the PHP team was on
5 July 2007.
Is there any time plan to fix this bug? We are running on Solaris 10
and are stuck on PHP 5.1.6 because of this problem, so the situation for
us is critical.
------------------------------------------------------------------------
[2007-08-14 15:21:39] wdierkes at 5dollarwhitebox dot org
I have verified that this is *NOT* fixed in the latest CVS snapshot.
Tested on Redhat Enterprise Linux 4 i386. Can we can an ETA on an
official patch?
------------------------------------------------------------------------
[2007-07-07 02:04:42] geoffwa at cs dot rmit dot edu dot au
No idea if this is correct but it fixes it:
diff -ur ./php5.2-200707060030/main/safe_mode.c
./php-5.2-snap/main/safe_mode.c
--- ./php5.2-200707060030/main/safe_mode.c 2007-01-13
00:30:58.000000000 +1100
+++ ./php-5.2-snap/main/safe_mode.c 2007-07-07 11:42:10.804129000
+1000
@@ -86,7 +86,8 @@
* If that fails, passthrough and check directory...
*/
if (mode != CHECKUID_ALLOW_ONLY_DIR) {
- expand_filepath(filename, path TSRMLS_CC);
+ // VCWD_STAT() can handle relative paths right?
+ strlcpy(path, filename, MAXPATHLEN);
ret = VCWD_STAT(path, &sb);
if (ret < 0) {
if (mode == CHECKUID_DISALLOW_FILE_NOT_EXISTS)
{
diff -ur ./php5.2-200707060030/main/streams/plain_wrapper.c
./php-5.2-snap/main/streams/plain_wrapper.c
--- ./php5.2-200707060030/main/streams/plain_wrapper.c 2007-04-19
00:31:35.000000000 +1000
+++ ./php-5.2-snap/main/streams/plain_wrapper.c 2007-07-07
11:58:57.673891000 +1000
@@ -888,9 +888,10 @@
return NULL;
}
- if ((realpath = expand_filepath(filename, NULL TSRMLS_CC)) ==
NULL) {
- return NULL;
- }
+ //if ((realpath = expand_filepath(filename, NULL TSRMLS_CC)) ==
NULL) {
+ // return NULL;
+ //}
+ realpath = estrndup(filename, strlen(filename));
if (persistent) {
spprintf(&persistent_id, 0, "streams_stdio_%d_%s",
open_flags, realpath);
------------------------------------------------------------------------
[2007-07-06 16:04:30] geoffwa at cs dot rmit dot edu dot au
It's still broken in CVS (my bad - forgot to remove the workaround
patch we had).
virtual_file_ex() get called several times, with the last
invocation being:
virtual_file_ex(state = 0xffbfdf9c,
path = 0xffbfe018 "../b/file",
verify_path = (nil),
use_realpath = 1)
called from function expand_filepath
virtual_file_ex returns 1
Having written a rather grandoise summary of stepping through
virtual_file_ex() I think the problem might be in php_checkuid_ex().
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/41899
--
Edit this bug report at http://bugs.php.net/?id=41899&edit=1
